idea: customizable_types.local

Moray Henderson (ICT) Moray.Henderson at ict.om.org
Wed Nov 11 16:04:15 UTC 2009


Dominick wrote:
<snip>
> >Thats cool, but what if you update your selinux policy? will
> >customizable_types be overwritten? Maybe it would be good to have a
> >customizable_types.local so that you can add your customizable types
> >there and not have to worry about policy updates or restorecond -u.

I've checked selinux-policy-targeted-2.4.6-255.el5_4.1, and customizable_types is marked as a config file.  It would be overwritten, but you would get an rpmsave file so that you could reapply custom changes.  Some of the other files in the contexts dir are config(noreplace); maybe making this one noreplace too would be the better solution.


<snip>
>That is just the issue. Sometimes it is not feasible or sometimes its not
>possible to add a context specification.
>For example the name of you backup file is changable and also its location.
>You might call it backup.tgz and store it in ~ or call it bla.tgz and
>store it in ~/Documents (just an example.

Would

/home/.*/.+\.tgz  --  mybackup_script_home_t

do it?  Although I would have my backup scripts use more standardised names and locations anyway.

<snip>
>Another example is kismet, it will store logs where ever you start it. So
>if you start it in ~ it will (try to) put the logs there. So lets say you
>allow kistmet to manage files with kismet_home_t in user_home_t, Run
>kismet and it starts logging to ~, along comes restorecond -u and resets
>the contexts of the logs to user_home_t (to which kismet incidentally
>cannot write/append)

Not familiar with kismet.  Creating logs wherever it is started sounds like bad behaviour quite apart from any SELinux implications, especially if there really is no way to distinguish a kismet log from any other random *.log file.  Maybe a wrapper script to ensure it starts in a consistent location?  You're right though, that must be the sort of thing customizable_types was designed for.

<snip>
>What if i have a policy that allows some domain to manage a file in
>user_home_t with its own type (example blah_home_t). I start the confined
>domain and notice that any file created by it has user_home_t (instead of
>blah_home_t), whilst i implicitly defined a type transition.
>
>I would expect the file to have the type that i defined and not
>user_home_t. That is confusing as well.

So far when I have been creating policy I have been able to identify unique locations or filename patterns for the files whose types I need to manage.  I put those into the .fc file when writing my policy and therefore the files do get the types I define.

Your way is more flexible than mine, but it would come at the cost of adding another bit of complexity to SELinux - and when it comes to SELinux and complexity, "adding more" is not the first thing I think of :-)


Moray.
"To err is human.  To purr, feline"






More information about the fedora-selinux-list mailing list